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DETAILED ACTION 



1. Claims 1-2, and 4-65 have been examined and is rejected under 35 
U.S.C. 102(e). 

2. Claim 3 is rejected under 35 U.S.C. 103(a). 



The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 
122(b), by another filed in the United States before the invention by the applicant for patent 
or (2) a patent granted on an application for patent by another filed in the United States 
before the invention by the applicant for patent, except that an international application 
filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application 
designated the United States and was published under Article 21(2) of such treaty in the 
English language. 

3. Claims 1-2 and 4-65 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Reps, et al. (US 6,070,190) 
As per claim 1: 

Reps, et al. disclose a method for automatically creating a record for one 
or more security incidents and reactions thereto, comprising the steps of: 

recording security incident information with at least one of a date and 
time stamp; [see col. 10, lines 28-56 and col. 14, lines 10-15; a time signature 
inherently tells the time and date file or a message which is a time /date stamp 
of a file/message (i.e. when created, the last modification, or when received or 



Claim Rejections - 35 USC §102 



sent).] 
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providing data to enable display of a procedure; [see col. 11, lines 1-10 

and lines 42-47] 

executing the selected procedure; [see col.15, lines 11-17] 

in response to executing the selected procedure, recording executed 

procedure information and results of the executed procedure with at least one 

of a date and time stamp; and [see col. 14, lines 3-7 and col. 14, lines 40- 

43] 

outputting a record comprising the security incident information, 
executed procedure information, results of one or more executed procedure [see 
col. 14, lines 1-18[, an identity of a user who selected the procedure [see col. 11, 
lines 63-65], and at least one of a corresponding date stamp and time stamp. 
[col.15, line 64 thru col. 16, line 7] 

As per claim 2: see col.9, lines 58-67; discussing an unmodifiable 
permanent database. [a permanent database is inherent unmodifiable and to 
have an unmodifiable permanent database in this instance is inherently for 
monitoring and comparison purposes because the new possible security 
incidents and/ or procedures are constantly being monitored and needs to be 
referenced to the recorded older incidents and/or procedures stored in the 
database.] 

As per claim 4: see col. 16, lines 33-37; discusses extracting the information 
from the results of an executed procedure. 

As per claim 5: see col. 16, lines 38-57; discusses describing a security 
incident with said extraction information. 
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As per claim 6: see col. 16, lines 57-65 and col. 18, lines 28-30; discussing 
displaying information for a particular security incident to more than one user. 
As per claim 7: see col. 16, lines 19-32 and col.20, lines 25-36; discusses 
prepopulating fields of a record of a first program module from a second 
program module. 
As per claim 8: 

Reps discusses receiving security incident information from a first program 
module; processing the security incident information with a second program 
module; and forwarding the processed security incident information from the 
second program module to a third program module. [col. 24, lines 32-38] 
As per claim 9: see col. 13, lines 30-40; discusses receiving a selection of a 
procedure comprises automatically selecting a procedure with a program 
module. 

As per claim 10: see col. 16, lines 24-60; discusses suggesting a procedure 
with a program module based upon the type of security incident. 
As per claim 11: see col. 15, lines 11-15; discussing each steps are performed 
automatically by a program module. 

As per claim 12: see col. 15, lines 11-15; discussing some steps are performed 
automatically by a program module. 

As per claim 13: see col. 16, line 54-65 and col.20, lines 27-36; discusses 
displaying reports comprising one or more computer security incidents. 
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As per claim 14: see col. 14, lines 40-43; discussing the results of an executed 
procedure comprise at least one of text, numbers, images, or formatted 
documents, [the results must be in text, numbers, images, or formatted 
documents if a user can view it on the display] 

As per claim 15: see col. 16, line 54-60; discusses predicting future actions of 
a source of a security incident. 

As per claim 16: see col. 16, lines 34-36; discusses identifying the source of a 
security incident. 

As per claim 17: see col. 14, lines 62-66; discusses sorting decoy or false 
security incidents from actual security incidents. 

As per claim 18: see col. 16, lines 54-60 and col.24, lines 32-38; discusses 
linking a first procedure to a second procedure. 

As per claim 19: see col. 10, lines 45-48; discusses determining the 
authorization level of a user. 

As per claim 20: see col. 11, lines 3-10 and col. 18, lines 49-54; discusses 
providing data to enable display of a procedure further comprises the step of 
providing data for enabling display of one or more steps of a procedure. 
As per claim 21: 

Reps discusses providing data to enable display of a response procedure [see 
col.ll, lines 3-10]; executing the response procedure [col.14, lines 40-43]; and 

in response to executing the response procedure, recording executed response 
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procedure information and results of the executed response procedure with at 
least one of a date and time stamp, [col. 14, lines 44-52] 
As per claim 22: 

Reps discuss providing data to enable display of an investigation procedure; 
executing the response procedure; and [col. 19, lines 27-39 and col.21, lines 27- 
56] in response to executing an investigation procedure [col. 19, lines 40-61], 
recording executed response procedure information and results of the executed 
response procedure with at least one of a date and time stamp, [col. 14, lines 3- 
21] 

As per claim 23: see col. 11, lines 3-10; discusses providing data to enable 
display of a procedure further comprises the step of providing data to enable 
display of one or more steps of the response procedure. 

As per claim 24: see col. 14, lines 40-43; discusses providing data to enable 
display of results of the executed procedure. 

As per claim 25: see col. 19, lines 54-61; discusses providing data to enable 
display of results of the executed procedure. 

As per claim 26: see col.20, lines 25-31; discusses identifying an appropriate 
computer to execute a step in the investigation procedure; and identifying an 
appropriate computer to execute a step in the response procedure. 
As per claim 27: 

Reps discusses accessing a table comprising computer locations and step 
information [col. 5, lines 46-48 and col. 11, lines 48-52]; comparing a step to be 
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executed with computer locations listed in the table; determining if a match 
exists between the step to be executed and the computer locations [col. 14, lines 
62-66 and col. 25, lines 31-38]; and if one or more matches exist, displaying the 
matching information or automatically selecting appropriate location, [col.23, 
lines 27-48 and col.25, lines 39-42] 

As per claim 28: see col. 11, lines 50-52 and col.25, lines 31-37; discussing 
the table further comprises Internet address ranges, the method further 
comprising the step of comparing an Internet address of a source of a security 
incident with the Internet address ranges of the table. 

As per claim 29: see col. 9, lines 24-35; discusses providing data to enable 
display of an appropriate substitute computer location if a match does not 
exist. 

As per claim 30: see col. 16, lines 34-67; discusses identifying an appropriate 
computer to execute a step in either an investigation or a response procedure, 
wherein the computer is strategically located relative to a source of a security 
incident. 

As per claim 31: see col. 13, lines 30-40; discusses executing one or more 
program modules in response to a selection of a procedure. 

As per claim 32: see col.9, lines 24-35 and col. 17, lines 45-67; discussing one 
or more program modules comprises one or more software application 
programs that can operate as a stand alone programs. 
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As per claim 33: see col. 15, lines 7-10 and col. 17, lines 45-67; discussing one 
or more program modules comprises an off the shelf software application 
programs. 

As per claim 34: see col. 14, lines 62-66; discussing the security incident 
information comprises predefined attributes. 
As per claim 35: 

Rep discussing the predefined attributes comprise any one of a computer 
incident severity level, a computer incident category, a computer incident scope 
value, a computer incident status value, an attacker internet protocol (IP) 
address value, an attacker ISP name, an attacker country, an external attacker 
status value, an incident type value, a vulnerabilities level, an entry point 
value, an attack profile value, a target networks value, a target firewalls value, 
a target hosts value, a target services value, a target accounts value, and a 
damage type value. [col. 11, lines 15-26 and col. 12, lines 1-3] 
As per claim 36: see col. 11, lines 15-26; discussing the security incident 
information comprises attributes that are at least one of variable and 
computer-generated. 

As per claim 37: see col. 11, lines 15-26; discusses whether a security incident 
comprises an actual breach in security based upon values of its attributes. 
As per claim 38: see col. 11, lines 28-34; discusses receiving a selection for a 
step of a procedure; and generating a pre-execution warning prior to the 
selection of a step. 
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As per claim 39: 

Rep discusses receiving a selection for a step of a procedure, executing the 
selected step [see col. 15, lines 11-17], and suggesting an appropriate 
subsequent step in the procedure, [col. 15, lines 20-41] 

As per claim 40: see col. 13, lines 30-40 and col. 15, lines 11-15; discussing 
each step is performed automatically in response to a detected computer 
security incident. 
As per claim 41: 

Reps discusses providing data to enable display of a plurality of computer tools 
in a non-procedural manner; receiving a selected for a computer tool [col. 9, 
lines 24-35 and lines 55-57]; and executing the selected computer tool. [col. 15, 
lines 7-15] 
As per claim 42: 

Reps, et al. disclose a method for organizing and recording reactions to 
one or more security incidents, comprising the steps of: 

providing data to enable display of one or more security investigation 
procedures; [col. 19, lines 27-39 and coL21, lines 27-56] 

providing data to enable display of one or more security response 
procedures; [see col.ll, lines 3-10] 

in response to a selection of a security investigation procedure, providing 
data to enable display of one or more corresponding investigation steps; [col. 19, 
lines 40-61], 
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in response to a selection of a security response procedure, providing 
data to enable display of one or more corresponding response steps; and 
[col. 14, lines 44-52] 

generating a permanent record comprising security incident information, 
executed investigation step and result information, executed response step and 
result information, and corresponding date and time stamps. [col. 14, lines 3- 
18] 

As per claim 43: see coL, lines; discussing recording executed investigation 
step information and results of the executed investigation step with at least one 
of a date and time stamp in response to a selection of a step of a response 
procedure, [col. 14, lines 3-18 and col. 19, lines 41-54] 

As per claim 44: see col. 14, lines 3-43; discussing recording executed 
response step information and results of the executed response step with at 
least one of a date and time stamp in response to a selection of a step of a 
response procedure. 
As per claim 45: 

Reps discuss providing data to enable display of a plurality of procedures; 
in response to receiving a selection of a procedure, displaying a plurality of 
steps [col. 14, lines 3-43]; obtaining modification information for the selected 
procedure; and storing the modification information. [col.20, lines 27-25-45 
and coL25, lines 31-53] 



Application/ Control Number: 09/685,285 Page 11 

Art Unit: 2135 

As per claim 46: see col. 25, lines 31-53; discusses adding or deleting a step in 

a procedure. 

As per claim 47: 

Reps discusses providing data to enable display of a plurality of steps of a 
procedure [see col. 11, lines 1-10 and lines 42-47]; in response to receiving a 
selection of a step, providing data to enable display of detailed information 
fields related to the selected step [see coL19, lines 27-39]; obtaining 
modification information for the selected step; and storing the modification 
information. [col.20, lines 27-25-45 and col. 25, lines 31-53] 

As per claim 48: see col.20, lines 27-25-45 and col.25, lines 31-53; discusses 
adding, deleting or modifying a step in a procedure. 
As per claim 49: 

Reps discusses obtaining computer security incident search information and 
providing data to enable display of a plurality of one or more computer security 
incidents matching the computer security incident search information, [col. 16, 
lines 34-65] 
As per claim 50: 

Reps discuss tracking multiple computer security incidents and storing 
information for each computer security in accordance with at least one of date 
and time stamp, [col. 14, lines 3-43] 
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As per claim 51: 

Reps discloses a method for selecting a computer that is strategically 
located relative to a source of a security incident, comprising the steps of: 

accessing a table comprising computer, Internet address ranges, and 
security step information; [coL5, lines 46-48 and col. 11, lines 48-52] 

comparing a security step to be executed and a target Internet address 
with computer locations and Internet address ranges listed in the table; 
[col. 14, lines 62-66 and col. 25, lines 31-38] 

determining if a match exists between the security step to be executed 
and the computer locations; [col. 23, lines 27-48 and col. 25, lines 39-42] 

determining if a match exists between an Internet address of a security 
incident and Internet address ranges listed in the table; and [col. 11, lines 50- 
52 and coL25, lines 31-37] 

selecting a computer to execute the security step based upon the 
matching steps, wherein the computer has a location and is capable of 
interacting with the Internet address of the security incident, [col. 11, lines 50- 
65 and col.25, lines 31-37] 
As per claim 52: 

Reps discusses if one or more matches exist, providing data to enable display 
of the matching information and if a match does not exist, providing data to 
enable display of one or more appropriate substitute computer location or 
automatically selecting an appropriate location, [col. 9, lines 24-35] 
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As per claim 53: see col. 16, lines 34-67; discusses a portion of a security 
response procedure, wherein the computer is strategically located relative to a 
source of a security incident. 

As per claim 54: see col. 19, lines 27-46; discusses a portion of a security 
investigation procedure, wherein the computer is strategically located relative 
to a source of a security incident. 

As per claim 55: see col. 15, lines 7-10; discussing one or more off the shelf 
security application programs. 
As per claim 56: 

Reps discloses a method for generating a permanent record or one or 
more computer security incidents and reactions thereto, comprising the steps 
of: 

displaying one or more tools; [col. 9, lines 24-35 and lines 55-57] 
receiving a selection of a tool; [col. 15, lines 7-15 ] 

in response to a selection of a tool, forwarding data for execution of the 
tool; and [col. 13, lines 17-25] 

forwarding data for generating a permanent record comprising security 
incident information, executed tool information, and corresponding date and 
time stamp. [col. 14, lines 3-43] 

As per claim 57: see col. 11, lines 3-6; discusses displaying the tools as icons 
on a computer display. 
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As per claim 58: see col. 12, lines 1-10 and lines 17-23; discusses displaying a 
plurality of tools that are selectable from a menu. 

As per claim 59: see col. 12, lines 17-23 and col. 17, lines 45-67; discusses 
installing the one or more program modules within a single program on a 
server. 

As per claim 60: see col.9, lines 25-28 and col. 12, lines 17-23; discusses 

installing the one or more program modules on a single server. 

As per claim 61: see col. 17, lines 45-67; discusses installing the one or more 

program modules on a computer that is a target of a computer incident. 

As per claim 62: see col.9, lines 52-57; discusses installing the one or more 

program modules on both a computer that is a target of a computer incident 

and a server. 

As per claim 63: see col. 14, lines 62-66 and col. 17, lines 18-28; discussing 
comparing an Internet address of a computer subject to an attack or a security 
breach with the Internet address ranges of the table. 

As per claim 64: see col. 14, lines 62-66 and col. 25, lines 31-50; discussing 
comparing an Internet address of a witness to a security incident with the 
Internet address ranges of the table. 

As per claim 65: see col. 17, lines 18-28 and col. 25, lines 31-50; discussing 
comparing an Internet address of an accomplice to a security incident with the 
Internet address ranges of the table. 
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Claim Rejections - 35 USC §103 



The following is a quotation of 35 C/.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject 
matter sought to be patented and the prior art are such that the subject matter as a whole 
would have been obvious at the time the invention was made to a person having ordinary 
skill in the art to which said subject matter pertains. Patentability shall not be negatived by 
the manner in which the invention was made. 

2. Claims 1-65 are rejected under 35 U.S.C. 103(a) as being obvious over 
Reps, et al. (US 6,477,585) and further in view of Todd Sundsted. 
As per claim 3: 

Reps disclose recording security incident information with at least one of 
a date and time stamp [see col. 10, lines 28-56 and col. 14, lines 10-40] and 

providing data to enable display of a procedure [see col. 11, lines 1-10 and lines 

42-47]. The Examiner points out that time signature inherently tells the time 
and date file or a message which is a time/date stamp of a file/message (i.e. 
when created, the last modification, or when received or sent). However, Reps 
fails to include the teachings of a digital signature. 

Sundsted teaches a digital signature that is generated from a 
file/ message and comes with a secret key. Sundsted teaches the digital 
signature cannot be forged that would not change the file/ message without 
invalidating the signature, which means the integrity of the message is kept by 
having a digital signature. 
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Therefore, it would have been obvious to one of ordinary skill in the art at 
the time of the invention to include a digital signature of Sundsted with the 
teachings of Reps would be to maintain the authenticity and integrity of the 
file/ message. 



Any inquiry concerning this communication or earlier communications 
from the examiner should be directed to LEYNNA T. HA whose telephone 
number is (703) 305-3853. The examiner can normally be reached on Monday 
- Thursday (7:00 - 5:00PM). 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Kim Vu can be reached on (703) 305-4393. The fax 
phone number for the organization where this application or proceeding is 
assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status information 
for published applications may be obtained from either Private PAIR or Public 
PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see 
http://pair-direct.uspto.gov. Should you have questions on access to the 
Private PAIR system, contact the Electronic Business Center (EBC) at 866-217- 
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9197 (toll-free). 
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